PDA

View Full Version : Really weird obfuscation


andyred
February 2nd, 2010, 16:27
Hi guys

I have started today working on a new file. A friend of mine sent me this link and he told me he has never seen such obfuscation. I have tried all packer detectors out there, it seems the file is not packed but is very well obfuscated. I didn't manage to find out what the creator has used to obfuscate it. Please don't tell me how to deobfuscate it or patch it, I only want to know what was used to do it, this makes things more interesting.
Maybe some of you seen this before or have any ideas and can help with this.
Anyway thanks in advance

I have attached the file

Kayaker
February 2nd, 2010, 19:18
How about we try this differently. You see, we're awfully suspicious around here, especially when first time posters attach questionable files.

I don't understand why you've attached a full install setup.exe + msi. Plus a pdf titled "Making money from youtube.pdf", plus a readme.txt file directing to a youtube marketing site where they brag about "post hundreds of votes and comments to your video".

How do we spell s-p-a-m?

If you really want suggestions about an obfuscated file, fine, people here love that kind of thing. Instead why don't you upload JUST the file in question and (VERY IMPORTANT), follow the rules by password protecting the zip file OR rename the executable file to something other than *.EXE, so no one clicks on it by accident.

If your question is valid, you are welcome here and need to do as I suggested. If not, go away, you will be chased. If any member really wants to look at the original crap, PM me.

Kayaker

andyred
February 2nd, 2010, 19:33
I'm very sorry about this. I didn't try to spam, I thought the kit was ok to upload. Just wanted to hear your opinion on this file. I have followed your advice and archived only the files necessary to execute the application. The password for the archive is: obfuscate.
Sorry again for any misunderstanding caused.

Kayaker
February 2nd, 2010, 19:41
That's better, thanks. Understand we get a lot of spam and stuff here, so an install package like you originally posted raises a few red flags.

This thing has a disasm.dll file, with a creation date of today? Hmm, this should be interesting...

andyred
February 2nd, 2010, 19:49
I tried several things to see what kind of obfuscation this is, the disasm.dll probably is the result of what I've tried so far.
And don't worry I'm here to learn more not to spam

Kayaker
February 2nd, 2010, 20:10
You might see if any of these are useful to you

http://www.woodmann.com/collaborative/tools/index.php/Category:.NET_Tools

andyred
February 2nd, 2010, 20:24
tried most of them...still struggling